[Bro] scan.bro and missing log entries
Tyler T. Schoenke
Tyler.Schoenke at colorado.edu
Thu Dec 2 14:07:09 PST 2010
On 12/02/2010 02:28 PM, Robin Sommer wrote:
> Actually it means that 100 hosts have been scanned and the *last*
> attempt triggering the alert was on port 506 (not necessarily all).
> When you were checking conn.log, did you filter for all connections
> involving that IP or just those on port 5060?
That would explain it. I'm guessing this machine was some sort of
software like P2P or Skype. Is there a way to change the scanner so it
only fires alerts when 100 hosts have been scanned on a single port?
It seems P2P type applications tend to fire a lot of scan
notifications. The other ones I see a lot are the Apple servers. Maybe
people connecting to them for updates?
More information about the Bro